Controls the use of standard, integrated, Kerberos, LDAP, and PAM logins
for the database.
Allowed Values
- Standard – the default setting, which does not permit
integrated logins. An error occurs if an integrated login connection is
attempted.
- Mixed – allows both integrated logins and standard
logins.
- Integrated – all logins to the database must be made using
integrated logins.
- Kerberos – all logins to the database must be made using
Kerberos logins.
- LDAPUA – all logins to the database must be made using LDAP
logins.
- PAMUA – all logins to the database must be made using PAM logins.
Note Mixed is equivalent to "Standard,Integrated".
Scope
Option can be set at the database (PUBLIC) level
only.
Requires the SET ANY SECURITY OPTION system privilege to set this option. Takes
effect immediately.
Remarks
Values are case-insensitive. Specify values in a comma-separated list without
white space.
Caution
- Restricting the LOGIN_MODE to a single mode in a mixed environment (for
example, integrated only or LDAPUA only) restricts connections to only those
users who have been granted the corresponding login mapping. Attempting to
connect using other methods generates an error. The only exceptions to this
are users with
full
administrative rights (SYS_AUTH_DBA_ROLE or SYS_AUTH_SSO_ROLE).
- Restricting the LOGIN_MODE to LDAPUA only
may result in a configuration where no users can connect to the server if no
user or login policy exists that permits LDAPUA. Use the command line switch
-al
<user-id-list> with the start_iq utility to recover from this
situation.
- If a database file is not secured and can be copied by unauthorized users,
set the LOGIN_MODE as a TEMPORARY public option for integrated, Kerberos, or
PAM user authentication. This ensures that, by default, integrated,
Kerberos, and PAM logins are not supported if the file is copied.